This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?
When a universal forwarder connects to a deployment server, it pulls down the app configurations from the deployment server, overwriting any existing configurations of the same app. In this case, the new inputs.conf file being deployed by the deployment server specifies monitoring the /var/log/maillog file. The original inputs.conf file on the universal forwarder, which specified monitoring the /var/log/messages file, will be overwritten. Therefore, the file that is now monitored is /var/log/maillog.
https://answers.splunk.com/answers/728155/what-happens-if-you-deploy-an-inputsconf-from-a-ds.html B
B is the correct answer
Once UF (DS client) connects DS server, it will pull the /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf from DS server , so B is the correct answer.
B is correct. Apps from deployment server will overwrite any existing configuration
b correct answer
B is correct as soon as UF try to connect with DS it will pull updated conf and over write the existing conf.
The client phones home to the DS, performs a checksum match on the apps and configs, finds a mismatch in that particular app and conf file, downloads the app from the DS and overwrites the mismatched inputs.conf
I think that the C is the correct answer, because inputs.conf file from forwarder is set up to monitor "messages" file and "maillog" file is monitored by Depolyment Server. Files are differents.
That would be true if they didn't have the same app name. When you deploy an app with the same name, it will overwrite the inputs.conf file instead of merging.
It doesn't matter. The DS is deploying the configuration setting sunder the given app name. The forwarder, once cnnected to the DS, will do whatever the DS tells it to do from the app configuration settings.
A is the correct answer, becouse the file inputs.conf will by overwrite by deployment
sorry B is the correct
A is the correct answer, because the local always take precedence.
This question has nothing to do with precedence. In the first case, the inputs.conf is written locally on the forwarder. In the second case, this original inputs.conf is overwritten by the new inputs.conf settings because the configurations been redeployed from a DS.
Better to say "deployed" rather than redeployed, because it's the first time a DS is being used with the forwarder.
deployment client will reinstall the app with the same name that matches its expected hash.
This is a great example of the poorly written questions in a Splunk exam. Notice the path, it is in the "deployment-apps" folder which means it is on the DS, not the forwarder. Once it gets to the forwarder, it will then overwrite the inputs, and be located in the $SPLUNK_HOME/etc/apps folder.